Skip to content

Commit

Permalink
Solidity language support for CodeQL
Browse files Browse the repository at this point in the history
  • Loading branch information
faculerena committed Oct 15, 2024
0 parents commit f82ff58
Show file tree
Hide file tree
Showing 126 changed files with 27,694 additions and 0 deletions.
55 changes: 55 additions & 0 deletions .github/workflows/solidity-docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: Deploy Docs

on:
push:
branches:
- main
paths:
- "solidity/codeql/docs/**"
workflow_dispatch:

jobs:
deploy:
name: Deploy to GitHub Pages
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./solidity/codeql/docs/
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 20

- uses: pnpm/action-setup@v3
name: Install pnpm
with:
version: 9
run_install: false

- name: Get pnpm store directory
id: pnpm-cache
run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_OUTPUT

- uses: actions/cache@v4
name: Setup pnpm cache
with:
path: ${{ steps.pnpm-cache.outputs.pnpm_cache_dir }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('./solidity/codeql/docs/pnpm-lock.yaml') }}
restore-keys: ${{ runner.os }}-pnpm-store-

- name: Install dependencies
run: pnpm install --frozen-lockfile

- name: Build website
run: pnpm build

- name: Deploy to GitHub Pages
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
# Build output to publish to the `gh-pages` branch:
publish_dir: ./solidity/codeql/docs/build
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# CyScout
1 change: 1 addition & 0 deletions solidity/.gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Cargo.lock -diff -whitespace
7 changes: 7 additions & 0 deletions solidity/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
extractor/target
.vscode/launch.json
.cache
ql/test/**/*.testproj
ql/test/**/*.actual
ql/test/**/CONSISTENCY
.codeql
6 changes: 6 additions & 0 deletions solidity/codeql/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
solidity-test/../log/
codeql/
target/
*.log
solidity-test/dbs/
.vscode
56 changes: 56 additions & 0 deletions solidity/codeql/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup")
load("//misc/bazel:pkg.bzl", "codeql_pack", "codeql_pkg_files")

package(default_visibility = ["//visibility:public"])

alias(
name = "dbscheme",
actual = "//solidity/ql/lib:dbscheme",
)

alias(
name = "dbscheme-stats",
actual = "//solidity/ql/lib:dbscheme-stats",
)

codeql_pkg_files(
name = "dbscheme-group",
srcs = [
":dbscheme",
":dbscheme-stats",
],
strip_prefix = None,
)

pkg_filegroup(
name = "db-files",
srcs = [
":dbscheme-group",
"//solidity/downgrades",
],
)

codeql_pkg_files(
name = "codeql-extractor-yml",
srcs = ["codeql-extractor.yml"],
strip_prefix = None,
)

codeql_pkg_files(
name = "extractor-arch",
exes = [
"//solidity/extractor",
],
prefix = "tools/{CODEQL_PLATFORM}",
)

codeql_pack(
name = "solidity",
srcs = [
":codeql-extractor-yml",
":dbscheme-group",
":extractor-arch",
"//solidity/downgrades",
"//solidity/tools",
],
)
22 changes: 22 additions & 0 deletions solidity/codeql/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
CODEQL_COMMIT = 123c375d844b9c2fd9ffcb4315a3f50c6b56f5ae
CODEQL_PATH = codeql

install-for-vscode:
cd $(CODEQL_PATH)/solidity/ql/lib && codeql pack install

clone-codeql:
if [ ! -d "$(CODEQL_PATH)" ]; then \
git clone https://github.com/github/codeql.git; \
fi
cd $(CODEQL_PATH) && git checkout $(CODEQL_COMMIT)

copy-solidity: clone-codeql
cp -r solidity $(CODEQL_PATH)

build-extractor: copy-solidity
cd $(CODEQL_PATH)/solidity && make extractor

create-dbs: build-extractor
cd solidity-test && ./create-dbs.sh

full-install: build-extractor create-dbs install-for-vscode
127 changes: 127 additions & 0 deletions solidity/codeql/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# ![CF](https://github.com/user-attachments/assets/8a0e9680-8088-478e-92ae-bc0e16840dc3) CoinFabrik CodeQL for Solidity

This repository contains CoinFabrik's ongoing research and development to extend CodeQL support to the Solidity smart contract language. By leveraging the foundational work done by the CodeQL team for Ruby, we have adapted and expanded their approach to create a powerful toolset for analyzing Solidity code.

## 🔍 Overview

Our goal is to provide a comprehensive set of tools for querying and detecting vulnerabilities in Solidity smart contracts. We build upon the work of [Joran Honig's Solidity Tree-sitter grammar](https://github.com/JoranHonig/tree-sitter-solidity) and the CodeQL team's [Ruby implementation](https://github.blog/security/web-application-security/code-scanning-and-ruby-turning-source-code-into-a-queryable-database/). The project includes an extractor, database schema generation, and abstractions such as a cleaner Abstract Syntax Tree (AST), Control Flow Graph (CFG), and Dataflow analysis. These elements enable complex vulnerability detection and querying, similar to the C++ libraries in CodeQL.


## 🚀 Project Status

- **Extractor and Database Schema**: Usable and functional for Solidity codebases.
- **Current Work**: We are actively developing a cleaner AST, CFG, and Dataflow support to enhance the detection of vulnerabilities.
- **Proof of Concept (PoC)**: Three simple detector examples are provided to demonstrate basic usage and potential.

## 🏁 Getting Started

To get started with analyzing Solidity smart contracts using CodeQL, follow these steps:

### 1️⃣ Install CodeQL CLI

First, download and install the CodeQL CLI by following the instructions provided in the [official CodeQL CLI repository](https://github.com/github/codeql-cli-binaries).

### Clone CodeQL repository

Clone this repository from [CodeQl](https://github.com/github/codeql)

### 2️⃣ Setting up Solidity Extractor
- Go to `codeql-research/solidity/extractor-pack/tools` and give all `.sh` files execute permissions. This is:

```bash
chmod +x *.sh
```

- Copy the `solidity` and `solidity-test` folders of this repository (`codeql-research`) inside `CodeQL CLI repository` and `CodeQL`. Both at root level.


- Inside `CodeQL` repository, in this path `codeql/solidity` run:

```shell
bash scripts/create-extractor-pack.sh
```

You should see

![output after running create-extractor-pack.sh](images/image1.png)


### 3️⃣ Extract Solidity Code

To create a CodeQL database from a Solidity codebase, run the following command:

```shell
codeql database create /path-to-database/ -l solidity -s /path-to-solidity-codebase/ --search-path /path-to-[solidity/extractor-pack]/
```

If all went smoothly, you should see something of the kind:


```shell

codeql database create /home/user/codeql/solidity-test/test-db-bitshift-examples -l solidity -s /home/user/codeql/solidity-test/bitshift-order-test --search-path ../solidity/extractor-pack --overwrite
Initializing database at /home/user/codeql/solidity-test/test-db-bitshift-examples.
Running build command: []
Running command in /home/user/codeql/solidity-test/bitshift-order-test: [/home/user/codeql/solidity/extractor-pack/tools/autobuild.sh]
[2024-09-03 12:55:56] [build-stderr] Scanning for files in /home/user/codeql/solidity-test/bitshift-order-test...
[2024-09-03 12:55:56] [build-stderr] /home/user/codeql/solidity-test/test-db-bitshift-examples: Indexing files in in /home/user/codeql/solidity-test/bitshift-order-test...
[2024-09-03 12:55:56] [build-stderr] Running command in /home/user/codeql/solidity-test/bitshift-order-test: [/home/user/codeql/solidity/extractor-pack/tools/index-files.sh, /home/user/codeql/solidity-test/test-db-bitshift-examples/working/files-to-index13975833793457248559.list]
[2024-09-03 12:55:56] [build-stdout] [2024-09-03 12:55:56] [build-stdout] INFO Extraction started
[2024-09-03 12:55:56] [build-stdout] [2024-09-03 12:55:56] [build-stdout] INFO Using 7 threads
[2024-09-03 12:55:56] [build-stdout] [2024-09-03 12:55:56] [build-stdout] INFO extracting: /home/user/codeql/solidity-test/bitshift-order-test/remediated.sol
[2024-09-03 12:55:56] [build-stdout] [2024-09-03 12:55:56] [build-stdout] INFO extracting: /home/user/codeql/solidity-test/bitshift-order-test/vulnerable.sol
[2024-09-03 12:55:56] [build-stdout] [2024-09-03 12:55:56] [build-stdout] INFO Extraction complete
Finalizing database at /home/user/codeql/solidity-test/test-db-bitshift-examples.
Running TRAP import for CodeQL database at /home/user/codeql/solidity-test/test-db-bitshift-examples...
Importing TRAP files
Merging relations
Finished writing database (relations: 4.86 KiB; string pool: 2.05 MiB).
TRAP import complete (983ms).
Finished zipping source archive (643.00 B).
Successfully created database at /home/user/codeql/solidity-test/test-db-bitshift-examples.

```
### 4️⃣ Run Sample Detectors
Once the database is created, you can run sample detectors written in the QL language:
```bash
codeql query run /path-to-detector/ -d /path-to-created-database/
```
For instance:
```shell
[1/1] Found in cache: /home/user/codeql/solidity/ql/lib/detector3.ql.
detector3.ql: Evaluation completed (191ms).
| col0 | col1 |
+-----------------+------------------------------------------------------------------------------+
| YulFunctionCall | /home/user/codeql/solidity-test/bitshift-order-test/vulnerable.sol@4:18:4:26 |
Shutting down query evaluator.
```
## Detectors
Num | Detector | What it Detects
--- | --- | ---
1 | `detector1` | [transferFrom uses arbitrary `from`](det01_doc.md)
2 | `detector2` | [usage of the word 'FIX' in comments](det02_doc.md)
3 | `detector3` | [incorrect order of arguments in bit shift operations](det03_doc.md)
4 | `detector3` | [Dead code: unreachable basic blocks](det03_doc.md)
### Further Documentation
For more detailed instructions on using CodeQL, refer to the [official CodeQL documentation](https://codeql.github.com/docs/).
## 🤝 Contributing
We welcome contributions to enhance and expand the support for Solidity in CodeQL. Feel free to submit issues, feature requests, or pull requests.
## License
The code in this repository is licensed under the [MIT License](LICENSE) by CoinFabrik.
For further information on CodeQL and CodeQL CLI licensing, please refer to the official [repo](https://github.com/github/codeql-cli-binaries).
29 changes: 29 additions & 0 deletions solidity/codeql/codeql-extractor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: "solidity"
display_name: "Solidity"
version: 0.1.0
column_kind: "utf8"
legacy_qltest_extraction: true
build_modes:
- none
github_api_languages:
- Solidity
scc_languages:
- Solidity
file_types:
- name: solidity
display_name: Solidity files
extensions:
- .sol
options:
trap:
title: Options pertaining to TRAP.
type: object
properties:
compression:
title: Controls compression for the TRAP files written by the extractor.
description: >
This option is only intended for use in debugging the extractor. Accepted
values are 'gzip' (the default, to write gzip-compressed TRAP) and 'none'
(to write uncompressed TRAP).
type: string
pattern: "^(none|gzip)$"
1 change: 1 addition & 0 deletions solidity/codeql/docs/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
node_modules/
41 changes: 41 additions & 0 deletions solidity/codeql/docs/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Website

This website is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.

### Installation

```
$ yarn
```

### Local Development

```
$ yarn start
```

This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.

### Build

```
$ yarn build
```

This command generates static content into the `build` directory and can be served using any static contents hosting service.

### Deployment

Using SSH:

```
$ USE_SSH=true yarn deploy
```

Not using SSH:

```
$ GIT_USER=<Your GitHub username> yarn deploy
```

If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
3 changes: 3 additions & 0 deletions solidity/codeql/docs/babel.config.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
module.exports = {
presets: [require.resolve('@docusaurus/core/lib/babel/preset')],
};
Loading

0 comments on commit f82ff58

Please sign in to comment.